OpenStack Compute (nova)

nova secgroup-list-rules shows empty table

Bug #1463372 reported by Alex Stafeyev on 2015-06-09

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Medium	Unassigned

Bug Description

We see no secgroups rules with nova command-
We should see the existing rules even with nova command, Specially if we see the rules in GUI via COMPUTE tab.

1. see security groups with

neutron security-group-rule-list

2. see security groups with nova command

nova secgroup-list-rules GROUPID

neutron security-group-rule-list
+--------------------------------------------------------------38d6-4d58-b624-011c2c05e165 | default | 13c64385-ac4c-4321-bd3f-ec3e0ca939e1 | default | 261ae2ec-686c-4e53-9578-1f55d92e280d | default | 41071f04-db2c-4e36-b5f0-8da2331e0382 | sec_group | 45639c5d-cf4d-4231-a462-b180b9e52eaf | default | 5bab336e-410f-4323-865a-eeafee3fc3eb | sec_group | 5e0cb33f-0a3c-41f8-8562-a549163d655e | sec_group | 67409c83-3b62-4ba5-9e0d-93b23a81722a | default | 82676e25-f37c-4c57-9f7e-ffbe481501b5 | sec_group | 89c232f4-ec90-46ba-989f-87d7348a9ea9 | default | ad50904e-3cd4-43e2-9ab4-c7cb5277cc4d | sec_group | c3386b79-06a8-4609-8db7-2924e092e5e9 | default | c37fe4d0-01b4-40f9-a069-15c8f3edffe4 | default | c51371f1-d3ae-4223-a044-f7b9b2eeb8a1 | sec_group | d3d6c1b3-bde5-45ce-a950-5bfd0fc7fc5c | default | d4888c02-0b56-412e-bf02-dfd27ce84580 | sec_group | d7e0aee8-eee4-4ca1-b67e-ec4864a71492 | default | df6504e5-0adb-411a-9313-4bad7074c42e | default | e0ef6e04-575b-43ed-8179-c221d1e4f962 | default | e828f2ef-518f-4c67-a328-6dafc16431b9 | sec_group +--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| ethertype | protocol/port | remote |
/>----+----------------+-----------+-----------+---------------+-----------------+
| ingress | IPv6 | any | default (group) |
| ingress | IPv4 | any | default (group) |
| egress | IPv4 | any | any |
| egress | IPv4 | icmp | any |
| egress | IPv6 | any | any |
| ingress | IPv4 | icmp | any |
| egress | IPv6 | any | any |
| egress | IPv4 | any | any |
| egress | IPv4 | any | any |
| ingress | IPv4 | any | default (group) |
| egress | IPv4 | 1-65535/tcp | any |
| egress | IPv6 | any | any |
| egress | IPv6 | any | any |
| ingress | IPv4 | 1-65535/udp | any |
| ingress | IPv6 | any | default (group) |
| egress | IPv4 | 1-65535/udp | any |
| ingress | IPv4 | any | default (group) |
| ingress | IPv6 | any | default (group) |
| egress | IPv4 | any | any |
| ingress | IPv4 | 1-65535/tcp | any |
/>----+----------------+-----------+-----------+---------------+-----------------+

Kilo+rhel7.1
python-neutron-2015.1.0-1.el7ost.noarch
openstack-neutron-openvswitch-2015.1.0-1.el7ost.noarch
python-neutronclient-2.4.0-1.el7ost.noarch
openstack-neutron-2015.1.0-1.el7ost.noarch
openstack-neutron-ml2-2015.1.0-1.el7ost.noarch
openstack-neutron-lbaas-2015.1.0-3.el7ost.noarch
openstack-neutron-fwaas-2015.1.0-3.el7ost.noarch
openstack-neutron-common-2015.1.0-1.el7ost.noarch
python-neutron-lbaas-2015.1.0-3.el7ost.noarch
python-neutron-fwaas-2015.1.0-3.el7ost.noarch

openstack-nova-common-2015.1.0-4.el7ost.noarch
openstack-nova-cert-2015.1.0-4.el7ost.noarch
openstack-nova-compute-2015.1.0-4.el7ost.noarch
openstack-nova-console-2015.1.0-4.el7ost.noarch
python-nova-2015.1.0-4.el7ost.noarch
openstack-nova-scheduler-2015.1.0-4.el7ost.noarch
python-novaclient-2.23.0-1.el7ost.noarch
openstack-nova-api-2015.1.0-4.el7ost.noarch
openstack-nova-novncproxy-2015.1.0-4.el7ost.noarch
openstack-nova-conductor-2015.1.0-4.el7ost.noarch

See original description

Revision history for this message

Alex Stafeyev (astafeye) wrote on 2015-06-10:

In Gui in order to see secgroups we go through COMPUTE-> Security groups so The cli version on this should give the same output as Gui

description:

updated

Revision history for this message

Markus Zoeller (markus_z) (mzoeller) wrote on 2015-06-10:

Reproduces with devstack:

Devstack commit: 84acb7a3a9af63e35ecc043d1426f568904ac22c
Nova commit: 7ddf7aab4edb09fab6e5b8f49461f7dbaa4da4a2

local.conf: http://paste.openstack.org/show/281460/
terminal session: http://showterm.io/18f66845ec3a97e5bacb8

Changed in nova:
status:	New → Confirmed

Revision history for this message

melanie witt (melwitt) wrote on 2015-06-11:

I'm guessing this isn't a novaclient issue because usually if novaclient shows an empty table, it means nova responded with an empty data. One way to check is do 'nova --debug nova secgroup-list-rules GROUPID" and see if any data is coming back from nova in the response. If there is nothing in the response, is there any error in n-api.log?

Revision history for this message

Liyingjun (liyingjun) wrote on 2015-06-17:

Nova only supported ingress rule, so all egress rules will not be shown through nova API, actually it's excluded here [1], output of nova --debug secgroup-list-rules <SECGROUP_ID>:
...
RESP BODY: {"security_group": {"rules": [{"from_port": null, "group": {"tenant_id": "11ddf880084d4ac4a5c9b5670e71f07a", "name": "default"}, "ip_protocol": null, "to_port": null, "parent_group_id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "ip_range": {}, "id": "060a7978-0eb7-4813-8293-7d38d6a03e6c"}, {"from_port": null, "group": {"tenant_id": "11ddf880084d4ac4a5c9b5670e71f07a", "name": "default"}, "ip_protocol": null, "to_port": null, "parent_group_id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "ip_range": {}, "id": "4c4f94e4-8bf1-4ae1-acae-e0701de681e1"}, {"from_port": 22, "group": {}, "ip_protocol": "tcp", "to_port": 22, "parent_group_id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "ip_range": {"cidr": "0.0.0.0/0"}, "id": "7818519f-7873-4236-aac2-980663954d6e"}], "tenant_id": "11ddf880084d4ac4a5c9b5670e71f07a", "id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "name": "default", "description": "Default security group"}}
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| | | | | default |
| | | | | default |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+

[1]: https://github.com/openstack/nova/blob/master/nova/network/security_group/neutron_driver.py#L98

Chung Chih, Hung (lyanchih) on 2015-07-17

Changed in nova:
assignee:	nobody → lyanchih (lyanchih)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-17: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/203022

Changed in nova:
status:	Confirmed → In Progress

John Garbutt (johngarbutt) on 2015-09-15

Changed in nova:
importance:	Undecided → Medium

melanie witt (melwitt) on 2015-09-15

no longer affects:

python-novaclient

Davanum Srinivas (DIMS) (dims-v) on 2016-03-06

Changed in nova:
assignee:	Chung Chih, Hung (lyanchih) → nobody
status:	In Progress → Confirmed

Revision history for this message

Anusha Unnam (anusha-unnam) wrote on 2016-08-29:

Based on the comment from Jay Pipes, looks like the os-security-groups API extension has been deprecated and removed from Nova as of the 2.36 microversion.
So can we mark this bug as Invalid?

Augustina Ragwitz (auggy) on 2016-08-30

Changed in nova:
status:	Confirmed → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-02: Change abandoned on nova (master)

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/203022
Reason: This patch has been sitting unchanged for more than 12 weeks. I am therefore going to abandon it to keep the nova review queue sane. Please feel free to restore the change if you're still working on it.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.